Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
m49808, the original workaround ("/Autodiscover") would protect against this:
https://yourexchangeurl/autodiscover/autodiscover.json@notreallyevilpowershell
and the new workaround ("Default Web Site") would also protect against this:
https://yourexchangeurl/autodiscover.json@notreallyevilpowershell
https://yourexchangeurl/owa/autodiscover.json@notreallyevilpowershell
https://yourexchangeurl/OAB/autodiscover.json@notreallyevilpowershell
...
If the remediation is working, you'll get "HTTP ERROR 403"
If it's not working, you'll get an authentication prompt/"HTTP ERROR 401"
I am personally confident that the "Default Web Site" will cover all cases, but you don't know me from a hole in the wall.
Heck, you could even do rules in both places (must rename at least one of them), but the /Autodiscover one will be redundant.